RE: AIM Password theft
It is a zero day bug, one of two found in IE this past two weeks. It was
publically disclosed. Apparently, someone is using it. Which is not a
surprise.
Jelmer's Bug:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010013.html
A fix for this issue:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010042.html
Or, you can turn off Activex and Javascript... But, most people will not do
that, and you might as well kill this component anyway.
> -----Original Message-----
> From: Brent Meshier [mailto:brent@xxxxxxxxxxx]
> Sent: Tuesday, September 23, 2003 12:13 PM
> To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: AIM Password theft
>
>
> Mark,
> The code you just sent looks familiar to a SPAM I
> received attempting to hijack users' e-gold accounts. Out of
> curiosity I followed that link which loaded start.html
> (attached). What worries me is that I'm running IE
> 6.0.2800.1106 with all the latest patches from Microsoft and
> this page (start.html) rewrote wmplayer.exe on my local drive
> without notice. After closing the page, I found two .exe
> files on my desktop (which loaded from
> http://doz.linux162.onway.net/eg/1.exe).
> Is this a new
> unknown vulnerability?
>
> Brent Meshier
> Global Transport Logistics, Inc.
> http://www.gtlogistics.com/
> "Innovative Fulfillment Solutions"
>
> -----Original Message-----
> From: Mark Coleman [mailto:markc@xxxxxxxxxxxxx]
> Sent: Tuesday, September 23, 2003 11:43 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Fwd: Re: AIM Password theft]
>
> Hi, can anyone shed some light on this for me? If this is new, its
> going to spread like wildfire. AOL or incidents lists have yet to
> reply.... it appears to be a legitimate threat as I have at
> least one
> user "infected" already.. Thank you..
>
> -Mark Coleman
>